In its 2009–10 Report on Plans and Priorities, Public Safety and Emergency Preparedness Canada included developing a government-wide cybersecurity strategy as one of its priorities. The purpose of that strategy is to achieve cross-government cyberintegrity, protect the economy and critical infrastructure, and combat cybercrimes.
The strategy, which is currently being implemented, requires modernizing, in a context of international cooperation, both the Canadian legislative framework and investigative techniques. This will allow law enforcement and national security agencies to have access to the information they need and to lawfully investigate criminal and terrorist acts perpetrated through the illicit use of new technologies, as well as criminal and terrorist organizations using these technologies to advance their causes.
Although much is being said about cybercrime, there is not unanimous agreement on a single definition of the concept. However, the following definition, used by the Canadian Police College, is gaining acceptance: cybercrime is “a criminal offence involving a computer as the object of the crime, or the tool used to commit a material component of the offence.”
According to this definition, cybercrime may for practical purposes be divided into two categories:
- Pure computer crimes, where a computer is the object of the crime. This category includes specific new offences that target computer systems and networks. Examples are hacking, denial-of-service attacks, and malicious dissemination of computer viruses.
- Computer-supported crimes, where a computer is the instrument used in perpetrating the crime. This category includes the use of a computer to commit such traditional offences as child pornography, harassment, fraud and drug trafficking.
Cybercrime has given rise to a number of challenges for legislators and law enforcement agencies, including:
- the enforcement of Canadian laws in cyberspace and international cooperation in investigating cybercrime;
- the modernization – updating and creating – of offences to include new computer crimes or new forms of offences; and
- the modernization of investigative techniques.
This paper gives a brief overview of the three challenges.
2 International Aspects of Cybercrime
The general principle of territoriality applied in Canada holds that no one can be convicted in Canada of an offence committed entirely outside Canada, except in cases of certain very specific offences, such as torture, terrorism and child sex tourism.
Cybercrime, however, knows no borders, a fact that significantly complicates police investigations. Cooperation among countries is therefore essential in combatting this type of crime.
2.1 Jurisdiction of Canadian Laws
The Convention on Cybercrime (the Convention), to which Canada is a signatory, requires that each State party prosecute cybercrimes committed within its territory. This means that a country could claim territorial jurisdiction in a case where the computer system attacked is on its territory, even if the perpetrator of the attack is not.
Australia, for instance, has expressly given its authorities the power to prosecute a computer hacker who attacks a computer in Australia from outside Australia. The United States has also amended its legislation to permit prosecutions of individuals abroad who hack computers in the United States, as well as individuals in the United States who attack computers in other countries. The amendments also allow the American authorities to investigate hacking from outside the country in cases where a computer in the United States is used as an intermediary.
To eliminate “safe havens,” the Convention requires that State parties that do not extradite an offender because of his or her nationality must have jurisdiction to prosecute the individual within their own territory. Although Canada does prosecute offences committed in this country and extradites its nationals, some clarification is needed regarding enforcement of Canadian laws in relation to offences committed in cyberspace.
2.2 Mutual Legal Assistance Treaties
Under bilateral mutual legal assistance treaties and multilateral conventions, Canada is able to receive and provide assistance in collecting evidence in criminal cases involving other countries, using coercive measures where necessary. However, according to Canadian law enforcement agencies and prosecutors, those mechanisms often take too long. Given the speed with which computer data can be moved around, altered or deleted, a possible solution would be to establish a speedy procedure for preserving evidence in the possession of Canada’s international partners.
As well, evidence in cybercrime prosecutions often comes from numerous different jurisdictions. Witnesses in other countries must therefore come to Canada to testify in court. A report prepared for the Canadian Association of Police Boards proposed that an amendment to the Canada Evidence Act to allow affidavit or video evidence would be worth considering in those cases.
3 Modernization of Offences
Although Canadian law covers most cybercrimes, the emergence of new technologies suggests that a review of Canadian criminal offences could be needed, with updating where necessary.
At present, only disseminating or attempting to disseminate computer viruses (as well as other malicious codes, such as worms and Trojan horses) is an offence.
To ratify the Convention on Cybercrime, Canada would have to amend its Criminal Code (the Code) to make the following activities offences in Canadian law: the production, importation, sale, or the making available or possession of a virus or another malicious code for the purpose of committing a cybercrime.
3.2 Child Pornography
The child pornography provisions currently in the Code seem to be well suited to cyberspace. In addition to production and possession, accessing child pornography (for example, by visiting a web page) and making child pornography available (for example, through the use of a file-sharing program such as P2P) constitute offences.
To help police services combat major cybercrimes like these, a federal–provincial–territorial working group on cybercrime is examining the possibility of compelling Internet service providers (ISPs) to report incidents of child exploitation that occur on their networks.
In June 2008, the Manitoba legislature enacted legislation requiring that individuals report any child pornography they become aware of to Cybertip.ca. Alberta, Nova Scotia and Ontario soon enacted similar legislation.
At the federal level, Bill C-22, which received Royal Assent on 23 March 2011, requires ISPs and other persons providing Internet services (e.g., Facebook, Google and Hotmail) to report any incident connected with child pornography.
The United States and Australia adopted legislation in 2002 and 2005, respectively, imposing this type of obligation on telecommunications service providers.
3.3 Identity Theft
The Code covers most fraudulent uses of personal information by identity thieves. However, before Bill S-4 came into force in January 2010, the Code did not apply to collecting, possessing and unlawfully trafficking in personal information (except in respect of credit cards and computer passwords) for future criminal use.
Bill S-4 has corrected this situation by creating two new offences: identity theft and trafficking in identity information. In addition to updating credit card offences, the bill provides that a judge may order an offender to compensate a victim of identity theft.
Spam is unsolicited electronic messages. It has evolved from a nuisance to a vehicle for committing offences such as virus dissemination, fraud and identity theft. Although spam represents about 80% of global email, Canada was, until recently, the only G8 nation with no anti-spam law.
In May 2005, Canada’s Task Force on Spam recommended legislation to prohibit unsolicited commercial electronic messages. Bill C-28, which received Royal Assent on 15 December 2010, provides a clear regulatory scheme, including administrative monetary penalties, with respect to both spam and related threats from unsolicited electronic contact, including identity theft, phishing, spyware, viruses and botnets. It also grants an additional right of civil action to businesses and consumers targeted by the perpetrators of such activities.
3.5 Other Emerging Offences in Cyberspace
In a 2008 survey of law enforcement agencies carried out for the Canadian Association of Police Boards, Crown prosecutors and other representatives of governments in Canada identified two increasingly important issues: cyberbullying of children and organized crime on the Internet.
Although existing offences seem to apply to these two phenomena, it may be worthwhile to examine them further.
4 Modernization of Investigative Techniques
Law enforcement agencies say that new technologies often impede the lawful interception of communications, specifically in relation to users’ anonymity, encrypted messages, and the relatively ephemeral nature of the information. The following sections briefly describe these issues as well as possible approaches to them.
4.1 Intercept Capability
At present, no Canadian legislation compels all telecommunications service providers to use apparatus capable of intercepting communications. The absence of standards regarding telecommunications service providers’ interception capabilities could be remedied by legislation, which could also require all telecommunications service providers – such as Internet service providers or manufacturers of devices such as the BlackBerry – to use technology that would enable law enforcement agencies to intercept telecommunications for investigation purposes after obtaining a judicial authorization.
Australia, the United States and the United Kingdom, among others, have imposed these requirements for more than 10 years.
4.2 Request for Subscriber Information
At present, law enforcement agencies generally require a warrant to compel telecommunications service providers to provide them with personal information concerning their customers. This means that law enforcement agencies holding an Internet protocol address (IP address) associated with the commission of an offence must obtain a warrant to compel the telecommunications service provider to supply the name of the subscriber associated with the IP address. Furthermore, the warrant application must include the name of the person suspected of the offence.
These difficulties could be remedied by adopting special rules to allow law enforcement agencies to compel a telecommunications service provider – without a warrant, but subject to certain requirements – to supply basic identifying information about a subscriber, such as the individual’s name, IP address, email address or telephone number. It has been argued that this kind of information request should still be subject to prior approval by a judge.
It is worth noting that in a February 2009 decision, the Ontario Superior Court of Justice held that subscribers do not have a reasonable expectation of privacy regarding basic information held by their ISP. Later that year, the Ontario Court of Justice clarified the issue, holding, in R. v. Cuttell, that an ISP can disclose the names and addresses of subscribers to law enforcement agencies without a warrant only if the service agreement allows it. Most service agreements with the major ISPs in Canada permit such disclosure.
Recently, the Supreme Court of British Columbia – of the opinion that an ISP receiving a request for subscriber information from a law enforcement agency is not an “Agent of the State” – held that such an ISP may voluntarily disclose this information to the police without the prior approval of a judge.
Considering the uncertainty of the case law on the requirement for a warrant, this debate will probably continue until the Supreme Court of Canada settles the issue.
4.3 Obligation to Retain Telecommunications Data
On 15 March 2006, the European Union adopted Directive 2006/24/CE on the retention of telecommunications data. This directive requires telecommunications service providers to retain this type of data for six months to two years and provide national authorities with access to it for the purposes of the detection and prosecution of serious crime.
In Canada, telecommunications service providers are not required to collect and retain information about their subscribers’ use of their services, such as individuals’ Internet surfing activities.
4.4 Anonymous Services
According to law enforcement agencies, prepaid cell phone cards, Internet access cards, Internet cafés and Internet access terminals in public libraries complicate law enforcement investigators’ jobs, because they allow users to remain anonymous.
At present, telecommunications providers have no obligation to verify their users’ identity.
4.5 Preservation Order
The speed and ease with which information on the Internet can be destroyed or modified can lead to the loss of evidence. Provision in the Code for a preservation order would be one way to guard against this. Such a temporary judicial order, which would be in effect during the time the law enforcement agency sought a search warrant, would require a telecommunications service provider to preserve information about a specific telecommunication or individual.
Former Bill C-51, which died on the Order Paper when the federal general election was called on 26 March 2011, included such orders with regard to the preservation of computer data.
4.6 Production Order
A production order and a search warrant are similar in that they are both provided by a judge. The difference between the two is that in the case of a production order, the person in possession of the information must produce it on request, whereas in the case of a search warrant, the law enforcement agency goes to the place where the information exists to obtain it by seizing it. Law enforcement agencies can more easily obtain documents that are located in another country using a production order.
At present, the Code provides a procedure for obtaining a general production order, one that applies regardless of the type of information a law enforcement agency is seeking. The order is issued based on the existence of reasonable grounds to believe that an offence has been committed. Because there are some who think that the expectation of privacy is lower for telecommunications data than for other types of information, consideration could be given to creating a production order specifically to obtain telecommunications data based on the less stringent criterion of reasonable grounds to suspect that an offence has been committed.
Former Bill C-51, mentioned above, included such orders with regard to the production of certain types of information, such as telecommunications and tracking data.
4.7 Interception of Electronic Mail
The treatment of electronic mail is the subject of debate: Does a law enforcement agency that wants to obtain a suspect’s electronic mail have to apply for a search warrant or for an authorization to intercept under Part VI of the Code? (The rules in Part VI – which allow police services to intercept a “private communication” – are more stringent than the rules relating to search warrants.)
Some argue that, although an email may be a communication, it is not certain that the author can reasonably expect that only the recipient will see it, in other words, that it is private. They contend that, because an email can be easily intercepted, and the author has ready access to encryption technology to guarantee its confidentiality, it cannot be considered a “private communication” within the definition in the Code.
On the other hand, one could argue that this logic also applies to a communication by telephone. Why should a distinction be made between the protection applicable to an email and to a telephone communication, particularly when electronic mail, just as a telephone communication, may well contain a variety of content, including sensitive personal information?
Encryption is a process used to make information unreadable to anyone who does not possess the proper key to decipher it. To protect the confidentiality of messages transmitted on the Internet, encryption technologies have become increasingly sophisticated and accessible.
While useful to protect legitimate communications on the Internet, encryption impedes law enforcement agencies’ lawful interception of communications in the course of criminal investigations.
As a result, telecommunications service providers could be required to give law enforcement agencies access to decrypted communications, regardless of the technology those service providers use. As well, all encryption technologies could be required to contain a decryption key to which law enforcement agencies would have access. However, such a measure raises privacy-related issues.
† Library of Parliament Background Papers provide in-depth studies of policy issues. They feature historical background, current information and references, and many anticipate the emergence of the issues they examine. They are prepared by the Parliamentary Information and Research Service, which carries out research for and provides information and analysis to parliamentarians and Senate and House of Commons committees and parliamentary associations in an objective, impartial manner. [ Return to text ]